the response from Epicor ticket:
QUESTION: Is it intended behavior that if the user ID is locked out after exceeding the lockout threshold attempts that the user is then able to remember his correct password, login to Epicor successfully and the system then automatically removes the lock after the lockout duration has passed
ANSWER: Correct, that would be our intended behavior.
So the “Locked Out” flag is cleared by either using A) Actions -> Unlock Account, or B) the user entering the correct password (after the timeout has expired)?
Does the expiration of the timeout also clear the “Locked User” flag?
I’m with Epicor on this one for sure. If you’ve got a decent password length (say 14 char), and set the lockout threshold at say 3 - this gives you genuine user the chance to login successfully. If they got it wrong 3 times, then they have to wait for say 15 mins before trying again. They might have been putting in a password from another system, and as soon as it locks them out they have that lightbulb moment and remember which password to use. They wait 15 mins, login no problems - no help desk call, no lost time (except the 15mins which is a positive link created in their brain about which password is for which system).
If on the other hand it is an automated computer program trying to hack into their account - after 3 attempts, it has to wait 15 mins - that would take literally years, centuries even to brute force the password. If the password gets changed every 3 months, it’s a constantly moving target.
Supplement the above some monitoring to show users who frequently get locked, and then offer training/password manager/find out why their account is being targeted and where from.
that makes sense. It just seems like if the duration was zero, then if they exceeded the number of attempts it would be locked out permanently and not allow the user to constantly re-try passwords forever with no delays. once we set it up this way and we saw that yes the user got “locked out” after 5 incorrect attempts, that they were permanently locked out. Instead they are able to enter a password in and get in and remove the lock with no system admin intervention. Epicor should not allow you to put a zero in the duration field then and should just have a min value of 1 minute at least. It looks like our option is to increase our duration value to something acceptable and just know that any any time regardless if the account says it is “locked out” that does not explicitly remove access to the system. I know its a small chance but if someone actually phished or got ahold of someones password then they are in anyways I guess. that all makes sense. Epicor should just not allow a zero in the duration field because that just makes it confusing. Also if its zero the user gets no notification about being locked out or exceeding the attempt threshold. that would be our complaint at this point. thank you for all of the feedback.
No, it doesn’t look like it. It either has to be cleared with the methods you mentioned OR you reset and/or expire the user’s password.
Hello,
when we login to user menu, unlock account is greyed out. my permission is system manager and still is greyed out.
which account we can use to unlock user’s account.
thanks,
Eddy
You unlock the account in the action menu, not by clicking the box.
yes, i went to the action menu and it was greyed out. so i think it may need system manager account.
regards,
Eddy